VGPB audits: Goods and services guide

VGPB’s compliance monitoring role

Under the Financial Management Act, the VGPB monitors compliance by departments and specified agencies with its goods and services supply policies. This is done mainly through annual Standing Directions compliance reporting and the VGPB accreditation and audit program.

Oversight and assurance

Each year, agencies attest compliance with the Standing Directions, including compliance with key VGPB policy requirements under direction 4.2.1.2.

Attestations are supported by a requirement under the Standing Directions to develop and implement an audit plan and compliance review over a rolling period of three-or four years.

VGPB accreditation audit

The VGPB provides additional oversight for departments and a select number of large agencies through its accreditation and audit program.

VGPB accreditation assesses how well an organisation’s procurement strategy, policies and processes align with the VGPB policy framework.

The objective of a VGPB accreditation audit is to confirm compliance with both VGPB and agency-specific procurement policy requirements. This audit covers all VGPB policies and requirements. It plays a key role in supporting an application for VGPB Accreditation.

VGPB audit program

To maintain accreditation, departments and accredited agencies participate in the VGPB audit program. These organisations complete two audits every three years. The VGPB monitors audit actions and publishes a summary of audit results in its annual report.

These audits focus on assessing and managing key procurement risks, testing compliance with agency procurement policies and processes and identifying opportunities to enhance performance. The narrower scope allows for a deeper investigation into key risk areas or agency specific improvement opportunities.

The VGPB audit program aims to support departments and accredited agencies to:

identify key procurement risks and improvement opportunities
conduct a targeted audit investigation to evaluate the effectiveness of controls in procurement practice in identified risk areas
advise management to inform on actionable improvements
identify systemic issues to inform VGPB policy, guidance, engagement and capability development

Plan the audit

Focus VGPB audits on different aspects of procurement operations, processes and systems over time to support organisational goals.

Audits may review different stages of the procurement lifecycle including planning, market approach, evaluation and selection, contract management and closure.

Identify risks

Identify key procurement risks or areas for improvement to investigate.

Considerations: Risks can vary between agencies depending on the type of procurement and the control environment. For example:

Low value transactions: May be more vulnerable to fraud in an agency where there is limited oversight of those transactions.

High visibility and system controls: May reduce risks in another agency.

The audit should test how well controls reduce these risks. It should also identify ways to improve risk management to support good procurement outcomes.

Determine the focus areas

Choose the primary focus of each audit based on identified or emerging risks.

Identify the specific areas or processes for review such as contract management, approval workflows or other targeted aspects of procurement operations.

Key risk areas will differ across agencies and may include factors like previous audit findings or recent organisational changes impacting procurement.

Emerging risks: The VGPB has highlighted two emerging procurement risk areas and encourages agencies to consider these where relevant.

Cyber security in procurement audits

Procurement is a target for cyber-attacks, making cyber security an important focus in procurement audits. Auditing for cyber security helps identify, assess, and mitigate these risks.

1. Assess policies, processes, controls
Objective: Evaluate the effectiveness of policies, processes, controls and tools in managing cyber security risks in procurement.
Consider:
- how effective are existing measures in addressing cyber security risks in procurement?
- do they refer to guidance developed by the Victorian Government Cyber Security Team, see Information security: goods and services guide
- how well do they communicate the importance of cyber security risk assessments?
2. Test compliance
Objective: Verify adherence to cyber security policies and processes in procurement activities.
Consider:
- were cyber security risks properly assessed during procurements?
- were the policies followed based on the level of risk identified?

Fraud and corruption in procurement audits

Improper actions such as fraud and corruption within the Victorian public sector can damage the government’s reputation and waste public resources. Fraud and corruption risks can emerge at any stage of the procurement process. For example, failing to disclose a conflict of interest when assessing a tender may introduce bias, compromising the fairness of the evaluation.

1. Assess preventive measures:
Objective: Review policies, processes controls and tools in place to prevent, detect and respond to fraud and corruption in procurement.
Considerations:
- how effectively do communications raise awareness to prevent fraud and corruption?
- what measures are in place to monitor and detect fraud and corruption?
2. Test compliance:
Objective: Evaluate the effectiveness of anti-fraud and corruption controls.
Considerations:
- key controls such as segregation of duties, conflicts of interest, approval processes and access controls.
- metrics, indicators or evaluation criteria used to assess the effectiveness of these controls.

Develop draft audit scope

The audit scope defines the objectives, key risks, focus areas and procurement processes the audit will examine.

It should include relevant business units, activities, timeframes, stakeholders, sample sizes and data analytics techniques. It should also detail what will be excluded from the audit.

Audit checklist: Use the audit checklist to help ensure that the audit aligns with the requirements of the VGPB audit program. This checklist helps ensure all components are covered.

VGPB audit scope evaluation checklist

Word 352.1 KB

Audit scopes must be agreed by the VGPB before commencing the audit.

Audit approach and sampling

The audit scope should specify the sampling method based on the audit’s focus, risk areas and the population size.

Specify sampling method

Align the sample size and composition with the specific risks and controls being tested.

Draw samples from several business units

Include procurements of different values, complexity (transactional, leveraged, focused, and strategic), risk and type (such as goods, services, and information technology).

Adjust sampling method as needed

Adjust the sampling method to focus on areas most relevant to the specific risk under investigation.

Select samples that reflect the specific risks and controls being tested

High-value, high-risk procurements: Conduct a detailed review of a small, representative sample.

Low value or high-volume procurements: Choose a larger sample or use data analytics to cover the entire population.

Specific business area risks: Focus the sample on the relevant business area.

General risks across multiple business areas: Choose a sample from various business units to capture a broad view.

Incorporate data analytics

All audit scopes should incorporate data analytics to enhance policy compliance and control testing. This approach enables comprehensive analysis across the entire procurement population to complement sampling.

While sampling provides a sound base, combining it with data analytics allows for in depth analysis across larger datasets. Data analytics techniques can reveal trends and risks beyond what sampling alone can identify. In cases where procurement systems are limited, auditors can use finance systems or Excel-based records, such as contract registers, for data analysis.

Elements of assurance

The VGPB encourages organisations to cover three elements of assurance in procurement audits.

Practice compliance

Objective: Ensure that procurement operations and staff follow relevant laws, policies, guidelines and VGPB requirements. Verify compliance across various procurement activities.

Evaluate adherence: Assess whether procurement managers and staff consistently follow relevant procurement policies.
Review documentation: Confirm that procedures, decisions and actions align with the relevant policies and standards.
Use representative samples: Provide a balanced view of compliance across procurement activities. This could be supplemented by conducting interviews to gather insights.

Management controls and culture

Objective: Evaluate the policies, procedures, and systems that guide procurement activities to reduce risks and ensure efficient operations. Assess how well the agency’s culture aligns with ethical standards and risk management practices.

Review policies and procedures: Ensure they are current, clear, accessible and user friendly.
Assess agency culture: Use surveys or interviews to measure staff understanding of ethical standards and their willingness to report concerns to help determine if the culture promotes transparency and accountability in procurement.
Evaluate continuous improvement mechanisms: Assess how the agency uses audit findings, complaints, feedback and performance reviews to improve procurement practices. Include both high-risk areas and routine procurement activities in the sample to assess how feedback is applied in different contexts.
Assess internal controls and governance structures: Check that internal controls like segregation of duties and approvals processes are effective. Focus sampling on higher risks areas, including business units or procurement activities most vulnerable to fraud or misconduct.
Test a sample of procurements activities: That reflect the range of risk levels across the agency.

Outcome achievement

Objective: Determine whether procurement activities achieve their desired objectives, including value for money and strategic outcomes.

Assess performance against objectives: Review if the objectives, targets and performance measures in the procurement strategy and are being met.
Test value for money: Ensure mechanisms are in place to evaluate value for money, such as contract reviews or evaluating procurement outcomes.
Adjust Sampling: To reflect the nature of the procurements. Larger, high-value procurements may need more in-depth scrutiny, while smaller procurements may benefit from broader sampling or data analytics.

Timing

The VGPB will review proposed audit scopes during their July or December meetings. The VGPB must agree the audit scope before commencing the audit.

For audits commencing	Send audit scope to VGPB for approval
July - December	By 31 May for approval at June meeting
January – June	By 30 November for approval at December meeting

VGPB audit program process

Follow these steps for more detail and responsibility area.

Agency (Chief Procurement Officer)
- Identify agency specific risks for the audit
- Decide on the focus areas to be covered (refer to the Audit Guide for suggested focus area)
- Contact the VGPB Governance team to discuss the proposed audit scope and focus areas at vgpb@dtf.vic.gov.au
- Obtain internal approval on the draft audit scope and send to vgpb@dtf.vic.gov.au for review
VGPB (during June or December VGPB meeting)
- Review draft audit scopes and:
  - seek any clarification from the agency, or
  - either approve, provide feedback or suggest any changes
Agency (Chief Procurement Officer)
- Once the VGPB has approved the draft audit scope, the audit can start. Notify the VGPB of any delays or changes to the timeline
- Prepare management actions and timeline in response to audit findings and recommendations
- Submit the audit report and management responses to Internal Audit and Risk Committee for approval
- Send the final approved audit report to the VGPB
VGPB
- Review and discuss the audit report and proposed management actions
- Advise the Chief Procurement Officer of any queries and inform the agency Audit committee for their awareness (as applicable)
- Record management actions and completion dates in the audit pipeline
Agency (Chief Procurement Officer)
- Provide a status update on relevant actions in the audit pipeline for each bi-monthly VGPB meeting
VGPB
- Include summary details of departmental and agency audits and actions in the VGPB annual report

Tools and support

Access a document version of this guide in the Toolkit and library. (added once approved)

This guide is supported by the following tool:

VGPB audit scope checklist

For more information on the VGPB audit process, please contact the goods and services policy team.

Updated 21 January 2025